Once viewed as a safe digital playground for kids, Roblox is now in the spotlight for all the wrong reasons. A new class action lawsuit is accusing the company of violating children’s privacy by secretly tracking their activity without proper consent.
Filed in a California federal court by plaintiffs Michael and Salena Garcia, the suit alleges that Roblox Corporation is in breach of federal privacy laws.
The 45-page filing paints a troubling picture. It claims Roblox uses hidden tracking tools that effectively “wiretap” everything a player does on the platform, from keystrokes and mouse movements to private messages and search activity.
According to the lawsuit, Roblox also collects device-specific data that can be used to identify individual users and map their in-game behavior. The company allegedly monetizes this data by serving up personalized content to keep players engaged, or by giving personal information to third-party advertisers.
Focusing on Game Safety
Parents often focus on in-game safety, but it’s equally important to consider the security of the mobile device and app itself, comments Kern Smith, Vice President of Global Solutions at Zimperium.
“Mobile apps, especially those as widely used as Roblox, can be targets for malware, phishing, and exploitation through unpatched vulnerabilities. If the device is compromised, attackers can access sensitive information, hijack sessions, or manipulate app behaviors. We encourage parents to ensure that their child’s device has protection in place to detect threats in real time and prevent attackers from exploiting mobile-first vulnerabilities.”
Beware Interactive Features
“As with any online game or social app, parents need to be vigilant about the interactive features in Roblox, as they can sometimes lead to scams or inappropriate behaviour,” adds Boris Cipot, Senior Security Engineer at Black Duck. “The chat function is a great way for players to connect, share strategies, and collaborate, but it also carries risks. Children may be exposed to offensive language or be tempted to share personal information.”
Cipot says setting up privacy and parental controls properly and regularly reviewing them is crucial. “It’s also important to talk to your children about common online scams targeting Roblox users. These can include fake Robux generators or phishing links disguised as in-game rewards. Remind them never to share private or account details with anyone.”
Open, Ongoing Dialogue
For Casey Ellis, Founder at Bugcrowd, the most effective way to keep kids safe on these platforms is open, ongoing dialogue. “Technology can help—privacy settings, parental controls, and monitoring tools are all useful—but they’re no substitute for trust and communication. Kids need to feel comfortable coming to their parents when something doesn’t seem right, whether it’s a stranger reaching out, encountering inappropriate content, or even just a gut feeling that something’s off.”
Roblox, like any online platform, has its risks. Privacy concerns, like the allegations of tracking children’s data, are a big one, says Ellis. “Parents should ensure accounts are set up with minimal personal information and use strong passwords and two-factor authentication. Beyond that, the social interaction piece is critical. While Roblox fosters creativity and connection, it’s also a space where bad actors can operate. Teaching kids to recognize red flags, like someone asking for personal details, trying to move conversations off-platform, or trying to encourage them towards “illegal” activity within the app—is key.”
The other thing is to normalize conversations about mistakes, Ellis says. “Kids are curious, and sometimes that curiosity can lead them into risky or even harmful situations online. If they feel they can talk to you without fear of punishment, you’re far more likely to catch and address issues early. Think of it as creating a “safe space” for them to share what they’re experiencing. Ultimately, the goal isn’t to scare kids away from technology but to empower them to use it wisely. Open communication builds the kind of awareness and resilience that no app or setting can replace.”
API Risks
While in-game interactions are often prioritized, the security of the platform’s underlying systems is just as important, says Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “Reports revealing potential vulnerabilities in support ticket systems underline that technical flaws in the infrastructure managing sensitive user data and communications, often through APIs, can present genuine risks. These vulnerabilities might allow unauthorized access to a child’s account or compromise personal information if these vulnerabilities are exploitable.”
Schwake says parents should use all available in-app safety settings and should also recognize that the security posture of the platform provider plays a fundamental role in safeguarding their children. “These platforms need to enact robust security measures throughout all their systems, including API infrastructure, in order to deter potential exploits that could affect young users.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.